The European Union Agency for Cybersecurity (ENISA) and the European Commission have reached a significant milestone with the signing of a contribution agreement aimed at creating and managing the EU Cybersecurity Reserve. Announced on August 26, this initiative comes with a robust investment of €36 million over three years, signaling a powerful commitment to enhancing cybersecurity measures across the EU.
Under this agreement, ENISA will take on comprehensive administrative and operational roles for the EU Cybersecurity Reserve. This step marks a notable advancement within the framework of the EU Cyber Solidarity Act, aimed at improving the collective cybersecurity landscape of member states.
A Strategic Partnership for Cyber Resilience
Juhan Lepassaar, ENISA’s Executive Director, expressed pride in this collaborative effort, stating that it positions ENISA as a key player in the European cybersecurity ecosystem. “Being entrusted with such a prominent project puts ENISA in the limelight as a dependable partner to the European cybersecurity community,” he remarked, reinforcing the agency’s commitment to fostering a safer digital environment across Europe.
The European Commission’s decision to assign this critical responsibility to ENISA highlights the trust placed in the agency’s operational expertise. ENISA has consistently demonstrated its worth through various initiatives, including the ENISA Cybersecurity Support Action and contributions to the Cyber Analysis and Situation Centre, all of which have been supported by similar funding agreements.
Functionality and Scope of the EU Cybersecurity Reserve
Defined by Article 14 of the EU Cyber Solidarity Act, the EU Cybersecurity Reserve will consist of a curated array of pre-procured, high-trust incident response services. These resources will be readily available during cybersecurity emergencies, providing essential support to Member States and EU institutions. The Managed Security Service Providers (MSSPs) delivering these services are selected through competitive procurement processes, ensuring both transparency and quality.
This Reserve is tailored to assist critical sectors as outlined in the NIS2 Directive, with EU institutions, agencies, and offices also eligible for access. Furthermore, third countries that participate in the Digital Europe Programme may avail themselves of the Reserve, so long as their agreements contain appropriate access provisions.
Operational Mechanics
ENISA will be tasked with overseeing the procurement and ongoing evaluation of services within the Reserve. The agency will review support requests from national cyber crisis management authorities, Computer Security Incident Response Teams (CSIRTs), and CERT-EU acting on behalf of Union entities. For associated third countries, ENISA will relay requests to the European Commission, ensuring a cohesive support structure.
In collaboration with the European Commission and EU-CyCLONe, ENISA has also developed a streamlined mechanism designed to expedite the submission and processing of support requests. This initiative aims to quicken response times when facing cyber crises, enhancing overall readiness.
An innovative aspect of the Reserve allows for unused pre-committed services to be redirected towards preparedness efforts, such as training for incident prevention and response. This adaptive approach ensures that the resources are utilized effectively, aligning with the responsible management of EU funds.
Budget and Timeline
The newly established agreement injects an additional €36 million into ENISA’s budget over the next three years, augmenting the agency’s annual funding to €26.9 million by 2025. These financial resources will play a crucial role in executing and monitoring the Reserve’s operations through at least 2028.
The EU Cybersecurity Reserve is anticipated to become fully operational by the end of 2025, coinciding with the conclusion of the ENISA Cybersecurity Support Action in 2026. This overlap will facilitate a smooth transition for Member States currently engaged with the existing support frameworks.
In preparation for the Reserve’s launch, ENISA is also working on a European cybersecurity certification scheme for Managed Security Services, addressing the specific need for incident response services. This initiative was requested by the European Commission, and once established, MSSPs will be required to certify their services within a two-year timeframe following the scheme’s adoption under the Cyber Solidarity Act.
